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Disclaimer 


This report (“Report”) was prepared by Mazars LLP at the request of the Information Commissioner’s Office (ICO) and terms for the preparation and scope of the Report have been agreed with them. 
The matters raised in this Report are only those which came to our attention during our internal audit work. Whilst every care has been taken to ensure that the information provided in this Report is 
as accurate as possible, Internal Audit have only been able to base findings on the information and documentation provided and consequently no complete guarantee can be given that this Report is 
necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. 


The Report was prepared solely for the use and benefit the ICO and to the fullest extent permitted by law Mazars LLP accepts no responsibility and disclaims all liability to any third party who purports 
to use or rely for any reason whatsoever on the Report, its contents, conclusions, any extract, reinterpretation, amendment and/or modification. Accordingly, any reliance placed on the Report, its 
contents, conclusions, any extract, reinterpretation, amendment and/or modification by any third party is entirely at their own risk. Please refer to the Statement of Responsibility in Appendix A1of this 
report for further information about responsibilities, limitations and confidentiality. 


01 Introduction 


Background 


This Annual Report incorporating our Internal Audit Opinion covers the work 
we have undertaken in respect of the Internal Audit Plan (the Plan) for 
2020/21. 


Government Accounting standards require Accounting Officers to make 
provision for Internal Audit in accordance with UK Public Sector Internal 
Audit Standards (PSIAS) as produced by the Internal Audit Standards 
Advisory Board. Within ICO, the Information Commissioner is the 
Accounting Officer and has responsibility for maintaining a sound system of 
internal control. 


The Coronavirus pandemic (Covid-19) and government restrictions have 
impacted on delivery of the internal audit service during the period. This 
included the Plan being conducted remotely. We noted within our review of 
the business planning methodology that the ICO had not completed 2020/21 
business planning process due to Covid-19. This resulted in our review 
focussing only the methodology to develop the business plan. Further detail 
is provided in Section 02 and 03 of the report. The ICO retained a full scope 
internal audit service for 2020/21. 


Scope and purpose of internal audit 


The purpose of internal audit is to provide the ICO, through the Audit 
Committee (AC) and the Information Commissioner (as Accounting Officer) 
with an independent and objective opinion on governance, risk management 
and internal control and their effectiveness in achieving the ICO’s agreed 
objectives. 


This opinion forms part of the framework of assurances that is received by 
the ICO and should be used to help inform the Annual Governance 
Statement. Internal Audit also has an independent and objective 
consultancy role to help line managers improve risk management, 
governance and control. 


Our professional responsibilities as Internal Auditors are set out within 
PSIAS. 
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02 Internal Audit work undertaken in 
2020/21 


The Internal Audit Strategy and Plan was considered and approved at the 
20 April 2020 AC meeting. In total the Plan was for 84 days, including 5 days 
of Follow Up and 10 days audit management. 


At the time of the approval of the Plan by AC, Covid 19 and government 
restrictions were in place. Whilst there were some practical implications 
around approach to testing and evidence, overall, there was minimal impact 
on the scope and ability to conduct the work. 


In addition to the above, we were in regular contact with the ICO to ensure 
the Plan and timings remained appropriate to the needs of the organisation. 
All planned reviews were delivered in accordance with the agreed Plan. 


The audit findings in respect of each of our finalised reviews, together with 
our recommendations for action and the management response, were set 
out in our detailed reports, which have been presented to the AC over the 
course of the year. In addition, we have presented a summary of our reports 
and progress against the Plan within our Progress Reports to each AC. 


A summary of the reports we have issued is included in Appendix A1. The 
appendix also describes the levels of assurance we have used in assessing 
the control environment and effectiveness of controls and the classification 
of our recommendations. 


03 Annual opinion 


Scope of the Internal Audit Opinion 


In giving our internal audit opinion, it should be noted that assurance can 
never be absolute. The most that the Internal Audit service can provide to 
the ICO is a reasonable assurance that there are no major weaknesses in 
governance, risk management and internal control processes. 


The matters raised in this report are only those which came to our attention 
during our internal audit work and are not necessarily a comprehensive 
statement of all the weaknesses that exist, or of all the improvements that 
may be required. We therefore reserve the right to revisit our report and 
overall opinion accordingly once this has been finalised. 


In arriving at our opinion, we have taken the following matters into account: 


e The impact on the internal audit plan as a result of Covid-19; 

e The results of all internal audits undertaken during the year ended 31 
March 2021; 

e The results of follow up action in respect of previous internal audits; 

e Whether or not any Priority 1 or 2 recommendations have not been 
accepted by management and the consequent risks; 

e The effects of any material changes in the organisation’s objectives or 
activities; 

e Matters arising from previous reports to the AC and/or ICO 
management; 

e Whether or not any limitations have been placed on the scope of internal 
audit; 

e Whether there have been any resource constraints imposed upon us, 
which may have impinged on our ability to meet the full internal audit 
needs of the organisation; and 

e What proportion of the organisation’s internal audit needs have been 
covered to date. 


Further detail on the classification and definitions of annual opinions raised 
in our reports can be found in Appendix A2. 
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Impact of Covid-19 on internal audit work during the year 


During the year, we have continually consulted Management through 
regular liaison with the ICO governance team. We have completed all the 
internal audit work that was set out in the agreed internal audit plan. There 
was no significant impact on the scope and our ability to conduct internal 
audit reviews over the period. 


Internal Audit opinion 


On the basis of our audit work, our opinion on the framework of 
governance, risk management, and control is Moderate in its overall 
adequacy and effectiveness. Some improvements are required to 
enhance the adequacy and effectiveness of the framework of 
governance, risk management and control. 


We highlighted weaknesses in the area of stakeholder management 
where two fundamental recommendations were made. We also noted 


good practice in other areas, including our audits of fees and income, 
information governance, and investigations and enforcement, which 
provided substantial assurance opinions. 


All matters have been discussed with management, to whom we have 
made recommendations. All of these have been, or are in the process of 
being addressed, as detailed in our individual reports. 


In reaching this opinion the following factors were taken into particular 
consideration: 


Corporate governance 


In order to provide an opinion on Corporate Governance we have 
considered this within our internal audit reviews, where appropriate. This 
work included reviewing areas of responsibility, reporting lines, decision 
making aspects and performance reporting within each internal audit review, 
where applicable. 


For example, we noted good controls in place for reporting high priority 
investigations, and information governance and security matters through 


our various reports provided to the AC. 
Risk management 


Our opinion in this area was informed through several activities during the 
year including, development of the plan itself, as well as implementing our 
risk based approach through each individual assignment including our ‘Risk 
Management’ thematic in each assignment report. 


From our attendance at AC throughout the year, we are also able to observe 
that the Risk and Opportunity Register (ROR) continues to be regularly 
updated and reported to the AC, with appropriate oversight and scrutiny. 


Internal control 


A system of internal control is one of the primary means of managing risk 
and consequently the evaluation of its effectiveness is central to Internal 
Audit’s responsibilities. The internal control environment at the ICO has 
been assessed through the programme of audit reviews detailed in 
Appendix A1. 


Of the seven audits undertaken in the year, where we provided a formal 
assurance, one received ‘Limited’ assurance, three received an ‘Adequate’ 
level of assurance and three received a ‘Substantial’ assurance rating. 


From the seven reports, we made two ‘Priority 1’ recommendations, 13 
‘Priority 2’ recommendations and 14 Priority 3 recommendations. All 
recommendations were accepted. 


Follow up 


As part of the Plan, we undertook a Follow Up exercise during the year to 
verify progress in implementing outstanding audit recommendations. From 
the review we identified all 25 recommendations had been implemented. In 
addition, there were nine recommendations that were not due for 
implementation at the time of the review. 


Recommendations implemented increased as a proportion of total 
recommendations from the previous year where (79%) of recommendations 
were implemented. 
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04 Added value 


As part of our work during the year, we have completed several areas or activities which have added value beyond the assurance levels and 
recommendations raised in our reports. These can include presentations (both formal and informal) to the AC, additional pieces of specific work or analysis, 
or detail included in our Value for Money, Sector Comparison, or Appendices within our reports. Particular matters highlighted to the ICO through our work in 
the year include: 


We identified within our investigation and 
enforcement report that the ICO use dedicated 
software that as well as being secure provides 
functionality for recording, monitoring and 
investigations incidents to provide overall efficiency in 
the process. 

We noted a number of good areas related to value for 
money within our information governance review. 
These included ensuring robust controls are in place 
to facilitate smooth communication, prevention of 
data breaches, ensuring information rights are 
respected and compliance is met with data laws. 

We identified a number of value for money areas with 
our HR core controls review. These included 
recruitment, pre-employment checks and their Covid- 
19 response. 


updates to the AC and ICO management team. 


Sector 
Insights 


In our high priority investigations report we noted 
that the ICO have a number of areas of good 
practice as seen at other regulators. These 
include a focus of resource on the greatest risks, 
a regime of continuous improvement and early 
identification and management of issues. 

We noted within our fees and income report that 
whilst data protection fees are unique to the ICO 
their collection process has a number of good 
processes in place similar to other organisations 
for the collection of debts. 


During Covid-19, we have engaged with the ICO and had regular contact to enable completion of the Plan. We have shared insights in respect of Covid-19 in our 


We have also held Governance Forums and Covid-19 webinars, to which ICO representatives have been invited; and 
Our Consultancy Advisory team undertook a review of business continuity effectiveness review. This identified eight opportunities for the ICO to help improve in 


this area. 


We reviewed the ICO’s new compliance reporting framework and provided feedback to help with improvement to this. 
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05 Benchmarking 


This section compares the Assurance Levels (where given) and 
categorisation of recommendations made at the ICO. 


Comparison of assurance levels (where given) 


We have provided assurance opinions in seven reports this year, providing 
‘Substantial’ assurance in three reports, ‘Adequate’ in three reports and 
‘Limited’ in one report. 


In comparison to the previous year, we have provided the same number of 
‘Substantial’ assurance reports with two fewer ‘Adequate’ assurance 
reports and one ‘Limited’ Assurance report. Our benchmarking suggests 
that the ICO’s overall control environment has remained similar to the 
previous year. 


Annual Internal Audit Opinions 


2018/19 2019/20 2020/21 


E Substantial mAdequate mLimited 


Comparison of recommendations by categorisation (where given) 


Over the past year, we have made a total of 29 new recommendations 
(excluding advisory recommendations), which included two ‘Priority 1’, 13 
‘Priority 2’ and 14 ‘Priority 3’ recommendations. 


Previously we have not reported any ‘Priority 1° recommendations. 
However, the total number of recommendations, as well as the number of 
‘Priority 2’ recommendations has fallen over the last two years. 


Annual Internal Recommendations 


2018/19 2019/20 2020/21 


@Priority3 Priority 2 wm Priority 1 
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06 Performance of Internal Audit 


Internal Audit Quality Assurance 


In order to ensure the quality of the work we perform, we have a programme 
of quality measures, which includes: 


Supervision of staff conducting audit work; 

Review of files of working papers and reports by managers and 
partners; 

The use of satisfaction surveys for each completed assignment; 
Annual appraisal of audit staff and the development of personal 
development and training plans; 

Sector specific training for staff involved in the sector; 

Regular meetings of our Sector Strategy Groups, which issues technical 
guidance to inform staff and provide instruction with regard to technical 
issues; and 

The maintenance of the firm’s Internal Audit Manual. 


Conflicts of Interest 


There have been no instances during the year which have impacted on our 


independence and/or lead us to declare any interest. 


Performance Measures 


We have completed our audit work in accordance with the agreed Plan and 
each of our final reports has been reported to the AC. We have received positive 


feedback on our work from the AC and staff involved in the audits. 


Compliance with professional standards 


We employed a risk-based approach to determining the audit needs of the ICO 
at the start of the year and use a risk-based methodology in planning and 
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conducting our audit assignments. Our work has been performed in accordance 
with PSIAS. 


A1 Summary of Internal Audit work undertaken in 2020/21 


The following reviews were undertaken during the 2020/21 audit year: 


Recommendations 


: Level of 
Auditable A on 
uditable Area Assurance Priority 1 Priority 2 A i Por i 


(Fundamental) (Significant) keeping) Management 
Business continuity planning N/A (Advisory) 


Methodology of the Business 
Planning Process 

Fees and income - 2 

High priority investigations 2 3 

HR core controls 2 3 - 
Information governance 1 4 


Investigations and Substantial 1 2 i 3 3 
enforcement 


Stakeholder management 


Follow up 
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A2 Assurance rating, recommendation level, and annual opinion definitions 


We use the following levels of assurance and recommendation classifications within our audit reports. 


~~ 


Substantial Our audit finds no significant weaknesses and we feel that overall risks are being effectively managed. The issues raised tend to be 
Assurance minor issues or areas for improvement within an adequate control framework. 


Adequate There is generally a sound control framework in place, but there are significant issues of compliance or efficiency or some specific 
Assurance gaps in the control framework which need to be addressed. Adequate assurance indicates that despite this, there is no indication that 
risks are crystallising at present. 


Limited Weaknesses in the system and/or application of controls are such that the system objectives are put at risk. Significant improvements 
Assurance are required to the control environment. 


Recommendation Description 


Classifications 


Priority 1 Recommendations represent fundamental control weaknesses, which expose the ICO to a high degree of unnecessary risk. 
(Fundamental) 


Priority 2 Recommendations represent significant control weaknesses which expose the ICO to a moderate degree of unnecessary risk. 
(Significant) 

Priority 3 Recommendations show areas where we have highlighted opportunities to implement a good or better practice, to improve efficiency 
(Housekeeping) or further reduce exposure to risk. 
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For our annual opinion we use the following classifications for our annual internal audit report which will be provided as appropriate: 


Definitions of Annual Definition 

Opinion 

Substantial The framework of governance, risk management and control is adequate and effective. 

Moderate Some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk management and 
control. 

Limited There are significant weaknesses in the framework of governance, risk management and control such that it could be or could become 


inadequate and ineffective. 


Unsatisfactory There are fundamental weaknesses in the framework of governance, risk management and control such that it is inadequate and 
ineffective or is likely to fail. 
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A3 Statement of Responsibility 


We take responsibility to the ICO for this report which is prepared on the basis of the limitations set out below. 


The responsibility for designing and maintaining a sound system of internal control and the prevention and detection of fraud and other irregularities rests with 
management, with internal audit providing a service to management to enable them to achieve this objective. Specifically, we assess the adequacy and effectiveness 
of the system of internal control arrangements implemented by management and perform sample testing on those controls in the period under review with a view 
to providing an opinion on the extent to which risks in this area are managed. 


We plan our work in order to ensure that we have a reasonable expectation of detecting significant control weaknesses. However, our procedures alone should not 
be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify any circumstances of fraud or irregularity. Even sound systems 
of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. 


The matters raised in this report are only those which came to our attention during the course of our work and are not necessarily a comprehensive statement of 
all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before 
they are implemented. The performance of our work is not and should not be taken as a substitute for management’s responsibilities for the application of sound 
management practices. 


This report is confidential and must not be disclosed to any third party or reproduced in whole or in part without our prior written consent. To the fullest extent 
permitted by law Mazars LLP accepts no responsibility and disclaims all liability to any third party who purports to use or rely for any reason whatsoever on the 
Report, its contents, conclusions, any extract, reinterpretation amendment and/or modification by any third party is entirely at their own risk. 


Registered office: Tower Bridge House, St Katharine’s Way, London E1W 1DD, United Kingdom. Registered in England and Wales No 0C308299. 
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Contacts 


Peter Cudlip 
Partner, Mazars 
peter.cudlip@mazars.co.uk 


Darren Jones 
Manager, Mazars 
darren.jones@mazars.co.uk 


Mazars is an internationally integrated partnership, specialising in audit, accountancy, advisory, tax and legal services*. Operating in over 90 countries and 
territories around the world, we draw on the expertise of 40,400 professionals — 24,400 in Mazars’ integrated partnership and 16,000 via the Mazars North 
America Alliance — to assist clients of all sizes at every stage in their development. 


“where permitted under applicable country laws. 


Wwww.mazars.co.uk 
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